BadFlick Backdoor Is Been Distributed Via Exploited Word Documents

BadFlick is a backdoor that is usually seen being distributed using exploited word documents. It does not have any persistence to survive reboot, but it is capable of opening a reverse shell connection to its C2 server where it can download and execute possibly other malware.

BadFlick makes use of c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9
— a word document — to exploit a known vulnerability in Microsoft
Office’s component tool known as Microsoft Equation Editor or EQNEDT32.EXE aka CVE-2017-11882. This will trigger a remote code execution in EQNEDT32.EXE where it will be replaced by its BadFlick backdoor 7ba05abdf8f0323aa30c3d52e22df951eb5b67a2620014336eab7907b0a5cedf using process hollowing injection technique.

BadFlick’s backdoor configuration can be seen hardcoded in its body with the following format<configState>|<C2 ip address>|<port>|<sleep>|. E.g. 1|103[.]243[.]175[.]181|80|5|xxxxxxxxxxxxxxxxxxxxxxx where:

1 = default configuration state of backdoor

103[.]243[.]175[.]181 = C2 server ip address

80 = port used

5 = time to wait (in minutes) between connections

On a successful connection to its C2 server, this backdoor will
proceed to extract and send the following information about the infected
machine:

Computer Name

IP Address

Windows Version Number and Service Pack

Number of CPU core and speed

Size of RAM

It will also add the string winMain static green at the end then uses CRC32 to compress the data before sending.

C&C IOC

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Like this:

Related Posts

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.